Apple Patches iTunes MPEG Decoding Flaw

The company releases a new version of iTunes that fixes a serious security vulnerability and also adds new video features.

0shares

Apple Computer Inc. has debuted version 4.8 of its iTunes music-playing application, which adds support for a few new features and fixes a serious security vulnerability.

The update is Apple's third serious security fix in as many weeks, following a combined update last week repairing 20 bugs, and an April patch for OS X and the Safari browser. All three have included vulnerabilities that could allow an Internet attacker to take over a system.

The iTunes flaw, affecting versions of the software up to 4.8, involves the way the application parses MPEG-4 files, such as the AAC (Advanced Audio Coding) files sold on the iTunes Music Store. A buffer overflow could be exploited by malicious MPEG-4 files to cause iTunes to crash or execute malicious code. The flaw was discovered by NGS Software, according to Apple's advisory.

The new iTunes version fixes the problem by improving the validation checks used when loading MPEG-4 files, Apple officials said. Independent security firm Secunia gave the flaw a "highly critical" rating. iTunes has become widespread on enterprise and home desktops due to the success of Apple's iPod music player, which uses iTunes as its interface on Windows and Mac OS X.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service